easy phone call
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent with its stated purpose of user-confirmed AI phone calls, but users should notice that it sends and stores phone numbers, conversation context, call logs, and uses an external API key.
Install only if you are comfortable sending call details to https://www.skill.black and storing call records locally. Confirm every phone number and call purpose before approving a call, keep the API key private, and periodically delete the local request/call log files if they contain sensitive information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or premature invocation could call a real person or business, so the user should carefully confirm the target, number, and purpose.
The skill can initiate real outbound phone calls, including a force-outbound option, but the documentation also requires explicit confirmation before doing so.
仅在用户明确确认后才执行外呼。 ... `uv run scripts/make-call.py --phone "{电话}" --messages '["用户: ..."]' --must-outbound`Keep the confirmation step mandatory and use force-outbound only when the user clearly asks to call despite incomplete details.
Anyone with access to the configured API key may be able to consume the outbound-call service quota or make calls through the account.
The script reads an API key from the environment or config file and uses it to authenticate to the outbound-call service, which is expected for this integration.
api_key = os.environ.get("OUTBOUND_API_KEY", "") ... "X-Access-Key": api_keyStore the API key securely, avoid sharing it in chat, and revoke or rotate it if it is exposed.
The registry summary may make the skill look simpler or less credential-dependent than it is.
SKILL.md declares a required runtime and API key, while the registry metadata lists no required binaries, no required environment variables, and no install spec. This is an under-declaration/provenance gap rather than evidence of hidden behavior.
requires:
bins: ["uv"]
env:
- OUTBOUND_API_KEYBefore installing, verify the skill files, expected API provider, and credential requirements; the publisher should align registry metadata with SKILL.md.
Phone numbers and call conversations may remain on the local machine after the call and could be seen by someone with file access.
The skill explicitly stores phone numbers, conversation content, and call logs locally, which is sensitive persistent context.
请求记录:`memory/skills/requests.jsonl` - 通话日志:`memory/skills/costs.jsonl` - 这两个文件包含 PII(电话号码、对话内容)
Review and delete the local log files when no longer needed, and avoid including unnecessary sensitive details in call instructions.